Archives: Data Breach

Subscribe to Data Breach

Card-issuing banks are forging ahead with their lawsuit against Target arising from the 2013 holiday shopping season data breach.  Their July 1 motion for class certification has just been unsealed, allowing a glimpse at plaintiffs’ version of the events during November and December 2013 that resulted in theft of payment card data for 40 million Target customers.

The Target data breach occurred after hackers were able to compromise the security of a Target refrigeration vendor.  The vendor’s log-in credentials to the Target computer system provided a portal to infiltrate Target and install malware on point-of-sale (“POS”) terminals that was used to record and steal customers’ card data.  In their class certification motion, the banks focus heavily on Target’s alleged data security failings.  They claim that Target retained unencrypted card data, disregarded warnings about malware targeting POS terminals, disabled security features that purportedly would have detected the POS malware, ignored alerts generated by its malware detection software, and failed to audit the vendor’s data security practices.  Little in the allegations is new, but the allegations are calculated to demonstrate that Target acted negligently in a fashion that consistently and adversely affected the entire putative class of card issuer banks.

To certify their proposed nationwide class, the card issuers will have to establish that choice of law principles allow application of Minnesota law to card-issuing banks located in all 50 states.  Were the court to find that each bank’s claim is subject to the law of its state in which it is chartered or has its principal place of business, the numerous and substantial differences in the laws of those states could preclude adjudication of all of the banks’ claims in a single class.

Otherwise, the linchpin of plaintiffs’ argument is that this case should be tried as a class action because all of the banks suffered common harms arising from the regulatory requirements that apply to compromised cards, including costs associated with card cancellation, notice to customers, account monitoring activity, and refunds for fraudulent charges.   Plaintiffs fail, however, to address predominance issues associated with the inability to determine whether fraud losses on compromised cards arose from the Target breach, or from theft of the card data somewhere else.  In In re TJX Cos. Retail Sec. Breach Litig., 246 F.R.D 389 (D. Mass. 2007), the court held that endemic fraud levels in the payment card industry made it impossible to determine with any certainty which losses result from a data breach, thereby requiring individualized proceedings on damages that preclude class certification.  Plaintiffs allege that their expert can accurately calculate which fraud losses were attributable to the Target breach.  It is likely that Target’s opposition papers have focused on this issue and will contest the ability to trace fraud losses to the Target breach.

Finally, plaintiffs’ papers ignore the question of whether resolution of claims in the federal court is superior to use of the Visa and MasterCard dispute resolution processes.  Although the recently-announced Visa settlement had not been finalized as of the July 1 filing of plaintiff’s motion papers, the earlier unsuccessful attempt to resolve claims through the MasterCard settlement process plainly demonstrates the availability of that process to resolve card issuer data breach claims.  Plaintiffs make no attempt to address that issue either.  Given their conclusion of the Visa settlement and renewed attempts to pursue a MasterCard settlement, Target is likely to argue that the availability of such processes mean a federal court class action does not afford a superior mechanism to resolve the claims of card-issuer banks.

Target’s opposition to the class certification motion was filed on August 5 but, like plaintiffs’ motion papers, was filed under seal.  Target’s papers will not be available to the public until redactions can be made to avoid disclosure of commercially sensitive information.

Risks to sensitive data have never been greater. With the rise in cyber attacks and data breaches, outsourcing to third parties can present an exponential threat to corporations. New regulations, technologies, standards, and security threats require organizations to implement robust vendor oversight to meet and stay ahead of the latest risks and challenges from new payment methods and systems, data breaches, and cyber attacks.   Register here for our next Wednesday Webinar on this important topic and read on –   Continue Reading The Third Party Vendor Risk to Your Data – Wednesday Webinar

Rather than our usual Privacy Monday “bits and bytes,” we have a breaking story relating to the ongoing Wyndham/FTC saga.

Today, Wyndham Worldwide Corp. lost a critical round in the Third Circuit.   Anticipated since April, 2014, the three-judge panel upheld U.S. District Judge Esther Salas’ ruling that the Federal Trade Commission (FTC) has the authority under the “unfairness” prong of Section 5 of the FTC Act to bring suit against companies over data security practices.

For all the background leading up to today’s ruling, we send you back to our April 2014 post  summarizing Judge Salas’ ruling and a recap of the entire case history, going back to June 2012 when the FTC filed its complaint.  The FTC originally alleged that Wyndham had engaged both in unfair and deceptive business practices in violation of Section 5 by failing to maintain reasonable and appropriate security measures.  The alleged security failures led to at least three data breaches between April 2001 and January 2010, exposing consumer data and payment card account numbers.  Wyndham has been fighting back all along the way, using this case to oppose the FTC’s authority and claiming that the agency exceeded statutory powers.

The appeals court said that Wyndham “cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform….[T]he company can only claim that it lacked fair notice of the meaning of the statute itself — a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts.”

This precedential opinion squarely rejects Wyndham’s argument that the FTC exceeded its statutory authority and Congress never intended for the commission to be able to use its Section 5 powers to police “failures to institute voluntary industry best practices” and virtually ensures the position of the FTC as “top cop” for data privacy and security regulation.

 

Written by Wynter Deagle

The Impact Team, the vigilante group behind the hacking of the infamous website AshleyMadison.com has followed through on its threat to leak the full database of the site’s users online.  On Tuesday, August 18, 2015, an impressive 9.7 gigabytes of compressed data was posted to the dark web using an Onion address accessible only through the Tor browser.  The files appear to include the names, addresses, phone numbers, email addresses, seven years of credit card data (dating back to 2007), and, in some cases, detailed sexual preferences and desires of AshleyMadison’s approximately 32 million users.  The credit card data, which amounts to millions of transactions, includes names, street address, email address and amount paid, but not credit card numbers; instead it includes four digits for each transaction that may be the last four digits of the credit card or simply a unique transaction ID.

While it is presently unclear whether all of the data supplied by users to AshleyMadison is legitimate, the growing consensus is that the information is legitimately from AshleyMadison’s site.   But, the site never verified any email addresses supplied upon registration, therefore, not every leaked email belongs to an “actual” AshleyMadison “user”.

The Ashley Madison hack is by no means the biggest data grab to date, but it is certainly one of the most notorious.   The Telegraph (London) is even running “real time” updates as reporters comb through the data trove for famous or government email addresses.  Take a look here.

While some may be worried that spouses will discover attempted or actual infidelity, this data dump also creates increased risk for employers.  This large list of email addresses is likely to be irresistible to those launching “phishing attacks” by delivering malicious links or attachments containing malware in seemingly innocuous emails.  This creates additional risk for intrusion into corporate networks where an employee may have used his or her work email to register with AshleyMadison or if an employee checks their personal email at work.  In addition, the vast array of leaked personal information could also be used to impersonate the AshleyMadison users and gain access to, for example, corporate networks.

Finally, the AshleyMadison leak underscores the poor security practices we have often decried on this blog.  As an initial matter, AshleyMadison exercised terrible data retention practices.  Ashley Madison evidently kept credit card transactions going back over seven years, including information on 250,000 “deleted” accounts.  Why would any company maintain credit card records for nearly eight years, particularly on accounts that should have been deleted?  The lack of an appropriate data retention policy has resulted in serious legal exposure for AshleyMadison as users can (and likely will) claim that AshleyMadison negligently maintained their data.

Separate and apart from the data retention issues, it appears that AshleyMadison only used the bcrypt algorithym to hash their passwords without providing any additional layers of protection.  While encryption using bcrypt is a good security measure, this alone is not sufficient.  Data security is by no means one-size fits all.  However, a more secure approach would have been a multi-pronged security effort including items such as adroit data retention, appropriate deletion, encryption of data, and two-factor authentication.

In short, we live in an era where massive amounts of personal data are being hacked and exposed.  This new reality requires companies to take a hard look at their data security measures.  The take away here:  from both a PR and a legal perspective, your company does not want to be the next AshleyMadison. 

Target has announced that it has entered into a settlement with Visa to resolve claims of issuers of Visa credit and debit cards arising from Target’s November 2013 data breach.  The proposed settlement will pay issuers of Visa payment cards up to $67 million to reimburse losses associated with the theft of card numbers from Target POS terminals.  Unlike an earlier proposed $19 million settlement with MasterCard, the Visa settlement does not require card issuer approval.  The MasterCard settlement agreement terminated in May 2015 for failure to gain the required approval of issuers of 90% or more of the affected cards.  Additional details of this settlement will follow as they become available.

 

It’s Privacy Monday again – and summer is winding down.

Here are three bytes of privacy/security information to start your week:

1.  House Committee Releases HHS Breach Investigation

If you are subject to HIPAA and the oversight of the Department of Health and Human Services (HHS), schadenfreude will probably best describe your reaction.

A report recently released by the House Energy & Commerce Committee reveleaed that hackers have breached at least five divisions of HHS — including the FDA — in the last three years.

“What we found is alarming and unacceptable,” committee Chairman Fred Upton, Michigan Republican, and Oversight and Investigations Subcommittee Chairman Tim Murphy, Pennsylvania Republican, said in a joint statement. “At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack.”

The 27-page review of HHS information security found that the breaches were unsophisticated and the affected agencies “often struggled to provide accurate, clear and sufficient information on the security incidents” during the course of their investigation.  According to the Privacy & Security Matters Monday Blog Series Imagecommittee, officials at two breached agencies were unable to provide accurate details about security incidents within their own networks. “These incidents raise questions about whether information security officials have the appropriate level of expertise,” the report reads.

Continue Reading Privacy Monday – August 17, 2015: Three Bytes for End of Summer

Neiman Marcus Petition Claims that Seventh Circuit Decision Invents Harm to Find Standing to Bring Data Breach Claims

Retailer Neiman Marcus has filed a petition seeking en banc review by the entire Seventh Circuit of the decision by a three-judge panel of that court in Remijas v. Neiman Marcus Group, LLC reversing dismissal of consumer data breach claims for lack of standing.   As we previously reported, the panel decision in Remijas held that injuries consisting of 1) lost time and money resolving the fraudulent charges, and 2) lost time and money protecting against future identity theft, were sufficient to confer Article III standing for consumers to bring suit.   In so ruling, the panel rejected the district court’s holding that plaintiffs’ allegations of potential future harms arising from stolen credit card numbers were too remote to satisfy the standing requirements set forth by the Supreme Court in Clapper v. Amnesty Intʹl USA, 133 S. Ct. 1138 (2013).  Continue Reading Neiman Marcus Chides Seventh Circuit Panel

By Breton Leone-Quick

Many of the highest-profile and headline-catching data breaches involve external breaches of a company’s electronic systems. But the reality that these headlines obscure is the fact that internal data breaches are generally more prevalent and represent a primary source of concern for data security managers.

The legal liability of employers for data breaches by its employees is generally an underdeveloped area of the law. But a case currently pending before the Massachusetts Appeals Court will help determine the scope of this liability in Massachusetts. Continue Reading Massachusetts Appeals Court Set to Consider Scope of Employer Liability for Employee Data Breaches

Originally posted in Mintz Levin’s Health Law & Policy Matters Blog

Written by Jordan Cohen

In yet another data breach affecting millions of individuals, UCLA Health System (“UCLA”) reported on Friday – July 17, 2015 – that hackers had accessed portions of its health network that contained personal information, including names, addresses, dates of birth, social security numbers, medical record numbers, Medicare or health plan ID numbers, and some medical information (including medical conditions, medications, procedures, and test results).  Affected individuals include UCLA’s patients as well as providers that sought privileges at the health system.

As night follows day, by the following Tuesday – July 21, 2015 – UCLA became a defendant in a class action lawsuit after plaintiff Michael Allen filed the action in California federal court. The complaint alleges a number of violations related to the breach, including violation of California’s Confidential Medical Information Act. Continue Reading Data Breach = Class Action Suit. Again.